Improving RFID in a Healthcare Environment Session 245, March 8, 2018 Mitchell Parker, Executive Director, Information Security and Compliance, IU Health 1 Conflict of Interest Mitchell Parker, MBA Has no real or apparent conflicts of interest to report. 2 Agenda • Explanation of RFID • Healthcare Use Cases/Potential Use Cases • Privacy and Security Concerns • What Risks are We Guarding Against? • Foundation – Infrastructure and Processes you need • Implementing RFID on top of Foundation • Expected Benefits 3 Learning Objectives • Demonstrate understanding and appreciation for the fundamentals of RFID technology • Apply the knowledge gained to better secure existing RFID implementations • Assess RFID-based technologies for appropriate privacy and security protection • Describe future RFID technologies and how they can influence the healthcare environment 4 What is RFID? • Radio Frequency Identification • Wireless transmission of information from a transponder (tag) to a reader without visibility • Transfers can be bidirectional • Tags can be attached, implanted, or built into a device • Designed to supply data to/from data collection systems • Also designed to identify and authenticate users (contactless smart cards) 5 What is RFID? • Can be Active or Passive – Passive – • No Internal Power Source – powered by signals • Low Price per Tag • Wide variety of form factors and uses • Can be used for transactions/ID – Philips MIFARE technology – Does support encryption (ISO 14443-4 standard) 6 What is RFID? • Can be Active or Passive – Active – • Battery-powered tags • Broadcast their own signals – Either in response or by “beaconing” • Much longer range • Higher cost ($20-$100 per device) • Generally used for high-value items 7 What is a specific example? • RFID-enabled toll cards (NXP MiFare) – Better known as the SmarTrip (DC Metro), PATH SmartLink (Ny/NJ), CharlieCard (Boston), or BreezeCard (Atlanta) – Over 1 billion of these cards in use since 2002 to provide contactless and effortless entry to public transportation – Instead of bulky tickets or machines that can break, RFID is used instead to provide a simple solution – This means millions of cards in use daily not only in the US, but across the world 8 Healthcare Use Cases • What are the benefits and why should I use it? – RFID uses radio signals. Barcodes or other visual inspection methods require line of sight – RFID has nearly indestructible sensor implementations • Barcodes or visual methods can break or fade easily – It is easier to scan using a receiver than sending people out – You don’t need to put sensors in controlled areas that require sterilization • Reduce infection and sterilization risks! 9 Healthcare Use Cases • Asset Management and Inventorying – Very critical for HIPAA compliance of IT assets • Equipment Tracking – Surgical Equipment Management and Tracking • Physical Security Access/Door Access/Security Systems • Real-Time Location Services (along with Wi-Fi and other means) – Baby Tracking • Authentication (tap and go cards) 10 Potential/Future Use Cases • Implantable Devices – Can give more than just an ID number – As implants get more sophisticated, give complex status results whenever queried – Make it significantly easier to query them 11 Potential/Future Use Cases • Contactless Payments in Healthcare – PCI compliance is a challenge for many organizations – RFID can increase complexity and decrease security unless done right • Many retailers are looking at contactless payments • Patient satisfaction and engagement starting to use this – What we want to do is provide a baseline that can be used to secure both PCI and RFID 12 Potential/Future Use Cases • Tap & Go Logins for patients – Patients using these logins for portals, food service, or self- service for appointments and services – Streamlining patient experience – Saving money by providing more services automatically – However, if you implement them correctly, you lower the risk while providing a better experience 13 Privacy and Security Concerns • RFID has a bad reputation for privacy and security – Perception that people will read information out there without being traced and cause ID theft – A number of vendors making RFID-proof wallets to protect credit cards and passports – Android Cell Phones modified to steal contactless credit card info using NFCProxy application – DEFCon 25 showed that it’s possible to spoof credit cards using cheap dedicated hardware (UniProxy) 14 Privacy and Security Concerns • There is the potential of being able to clone RFID tokens for physical or computer system access • There is the potential for spoofing IDs for fraudulent inventorying • Internet of Things/Automation security issues • Security not built into RFID natively • Due to lack of security, easy to forge/clone information 15 What are we guarding against? • Spoofing of RFIDs • Unauthorized copying/interception of RFIDs • Interception of data • Attacking back-end processing systems • Network-based attacks • Device-based attacks 16 What are we guarding against? • Supply Chain Attacks – Generally, Supply Chains use a large number of handheld and wireless devices – Many of them run Android or older versions of Linux • Some devices even run Windows CE – Easy to attack or intercept traffic on devices not patched for recent vulnerabilities – Easier to attack networks and systems not designed for security 17 What are we guarding against? • Supply Chain Attacks – Back-end systems for Supply Chain, specifically Inventory Management and Enterprise Resource Planning, also have a large number of vulnerabilities – ERP systems in particular are often wide open – They are a major driver of automating the complexity of hospital supply chain management – RFID has a potential to cause corruption of financial/inventory/asset management systems 18 What are we guarding against? • Interception of patient information – As medical devices and implants start to use RFID, the potential for device association with a patient increases • Already a concern with surgical device and tool tracking – We need to isolate by design patient information from RFID readers and devices as much as possible to reduce risk – Address concerns with association of devices and tools to patients 19 What are we guarding against? We need to have forensically sound data flows • We cannot protect against attacks if we don’t have a full understanding of them • We need to understand where information can be compromised and where to protect it • We need to know where to look for discrepancies and why • If there is an issue, we need to document it and show defensible processes to assure integrity, confidentiality, and availability of data 20 What are we guarding against? • We cannot stop the unauthorized reading of RFID tags or information – However, we can limit the association of these tags with patient information – esp. with ID cards – We can protect the systems that store and process the data – We can make it harder to spoof or inject bad data by segmenting off data collection – We can also make it harder by maintaining systems and being vigilant about reviewing data input 21 Foundation – What You Need • Processes – Asset Management – Know What You Have – Systems Management – Maintain What You Have – Systems Design – Design isolation and minimum necessary communications into the network – Vulnerability Management – Address Their Vulnerabilities – Physical Security – Protect the Environment 22 Asset Management • RFID is a major part of asset management • However, we need to know what devices we have that can read/write RFID tags • We also need to know what devices and systems will store or process this data – We need to know their capabilities – We need to log and audit transactions they make • We need to know what we have to protect it because unmanaged devices can lead to multiple issues 23 Systems Management • It’s about managing the entire ecosystem identified by Asset Management – Every security framework and standard requires this as a base • Make sure that we manage these systems to keep them up to date • Maintain them and keep them supported – A lot of data collection equipment isn’t kept up to date – A lot of equipment sold into the Supply Chain market runs out of date software • Plan for Obsolescence 24 Systems Management • Map out the data flows from devices and tags all the way to the systems of record that will be storing and transacting collected information – Store the minimum necessary information on the tags – Don’t store information that can directly relate to a patient in the data collection systems • Do not associate RFID tags with patient info in any way! • Store them in the EMR or system of record • If you have to use indirect associations through a data warehouse, it’s better to do so 25 Systems Management • Asset Management – A lot of IT Asset Management (ITAM) systems rely on manual entry for locations – So does Active Directory or other Directory Services – Linking RFID-based asset tracking to ITAM removes a significant amount of work that needs to be done to keep inventory locations current – Solves for the location tracking component 26 Systems Design • You need to design to several objectives: – Segment off data collection traffic from everything else – Enforce data flow through appropriate network paths – Protect data at rest and in transit using encryption – Validate and verify data inputs and collection through auditing and reporting – Retain Data for only as long as you need it and nothing more 27 Systems Design • If these